With the so many cyber threats lurking presently, all the accounting firms must have an information security policy in place, even if it is at a fundamental level, as per IT consultant and managing director of IntrapriseTechKnowlogies Donny Shimamoto, who appeared at the AICPA Engage 2018 conference held in Las Vegas, USA.

Even though a security policy can help protect customer information at a time when confidential data is increasingly being attacked, it also has the potential to protect the accounting firm.

Shimamoto said that if one does not have a security policy, then they are putting themselves in the gross negligence area. Apart from being the managing director at IntrapriseTechKnowlogies, he is also the director of innovation at the Houston CPA Society. He explained that even the effort to have a policy is way better than not having any plan at all.

For accounting firms which do not have any policy in place, he suggests they begin with a basic template. He also said that following up the policy is also crucial.

Daniel T. Moore, CEO and founder of D.T. Moore and Co. located in Salem, Ohio, and a co-speaker with Donny Shimamoto for their Engage 2018 session on identity theft and cyber security has gone way past that baseline at his accounting firm.

With the cooperation of Donny Shimamoto, Moore has produced policies and procedures to improve the security of his firm, described in a 47-page long policy. Before explaining the measures he has adopted, Dan Moore shared a few daunting statistics.

Moore added that since this year began, the IRS issued ten reports on identity theft, and seven out of them were aimed at tax professionals.

Shimamoto explained that as per the Poneman Data Breach research, published in June 2017, a whopping 47% of data breaches include malware or criminal attacks, 28% of them are the consequence of careless employees, and one-fourth of them come from system failures or IT business process failures. He added that according to these statistics the notion that all data breaches happen because of cyber criminals into the PC is not correct. The major Equifax data breach in 2017, for instance, occurred due to business-process failure.

Given that stories like these keep pouring in, accounting firms are usually informed of the threat to their customers’ data, and they may have primary policies in place. However, Moore suggested they consider additional actions.

These involved:

Consistent communication: During tax season they discuss cyber security every month. All the employees have signed up for IRS news releases.

Hiring experts to detect cyber and physical vulnerabilities: Moore hired an ethical hacker to test the systems of the firm. The ethical hacker then gave an official written report, which was very valuable.

Planning for natural disasters: Moore’s accounting firm has a separate safe server room, which has decorative shutters, glass guards, and an alarm.

Compiling contact lists: Accounting firms must work under the hypothesis that a data breach is still possible, and have a record nearby of everyone they must to reach out to if and when it happens.